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[57] ABSTRACT 

A method for controlling keys used in the verification of 
encoded information generated by a transaction evidencing 
device and printed on a document comprises the steps of 
generating a plurality of random verifier master keys to 
obtain a set of verifier master keys consisting of a fixed 
number of keys; generating at least one pointer by applying 
a psuedorandom algorithm to data unique to the transaction 
evidencing device; calculating a plurality of verifier token 
keys to obtain a verifier token key set corresponding to the 
set of verifier master keys; encrypting the verifier token key 
set with a privacy key; and distributing the set verifier token 
keys and the privacy key to verifiers. The token keys are a 
function of the verifier master keys and a code valid for a 
limited time. The pointer algorithm is an appropriate sym- 
metric key cryptographic algorithm and the code is function 
of a date dependent parameter. The master keys are distrib- 
uted to postal and vendor data centers. 

5 Claims, 4 Drawing Sheets 
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SYSTEM AND METHOD OF VERIFYING apparatus printing the indicium and other information 

CRYPTOGRAPHIC POSTAGE EVIDENCING uniquely determinative of the legitimacy of postage on the 

USING A FIXED KEY SET mailpieces. The keys for the code generating apparatus are 

changed at predetermined time intervals in each of the 
FIELD OF THE INVENTION 5 meters. A security center includes apparatus for maintaining 

a security code database and for keeping track of the keys for 
The present invention relates generally to a method for generating security codes in correspondence with the 
verifying indicia and, more particularly, to such method for changes in each generating apparatus and the information 
verifying indicia using a fixed key set. printed on the mailpiece by the postage meter apparatus for 

comparison with the code printed on the mailpiece. There 
BACKGROUND OF THE INVENTION may be two codes printed, one used by the Postal Service for 

Digital printing technology has enabled mailers to imp*- J* 5 ^ ^ksznd one by the manufacturer. The encryp- 

ment digital, i.e bit map addressable, printing for the ^ k ^ ma * b f c al P****™™* <* °° a 

r • j • . t » a a • daily basis or for printing each mailpiece, 

purpose of evidencing payment of postage. Advances m ' , ,. . , . „ n 

digital printing technology have made it possible to print on 15 Rf *f ^iTT ^ Po f w erte ^ 1 ™ d fcr : 
a mailpiece a postage indicium that is unique to the mail- *° Qal Post ° fficc ™ «^ctured by the assgnee of 
piece. The indicium is unique because it includes iuforma- ,he P rcs6nt ^enUon, have been developed. Such digita 
tion relating directly to the mailpiece, for example, postage meters em P lov cryptographic means to produce evidence of 
value, date, piece count, origin postal code and/or destina- POSUge payment The encryption is performed using cap- 
tion postal code (referred to herein as indicium information 20 *V*V**c ^ for signing indicium data printed on the 
or indicium data) envelope with two digital tokens . In each digital meter, 

. „ " . , # independent keys stored therein are used for generating two 

From the Postal Service s perspective, it will be appreci- d - ^ ^ 0f lokeQS Qeeded for verification of indicia 

ated that the digital printing and scanning technology make rinted on mail ieces< Qne di ital token ides evidence 
it fairly easy to counterfeit a postal value bearing indicium of postage paid t0 the Postal ^ me ^ digital 
since any suitable computer and printer may be used to lok en provides evidence to the vendor, such as the assignee 
generate multiple copies of an image once generated of lhe present iQvemion< ^ used herein> a digital token is a 
In order to validate an indicium printed on a mailpiece, truncation of the result of a symmetric-key cryptographic 
that is to ensure that accounting for the postage amount transformation, such as a truncated Data Encryption Stan- 
printed on a mailpiece has been properly done, it is known 3Q dar d Message Authentication Code, applied to data appear- 
to include as part of the franking an encrypted number such mg m tn£ indicium. The indicium data elements, also 
that, for instance, the value of the franking may be verified referred to herein as input postal data or simply postal data, 
from the encrypted data in the indicium to learn whether the mav include postage value, date, register values, postal code 
value as printed on the mailpiece is correct. See, for 0 f the geographical deposit area, recipient address informa- 
example, U.S. Pat. Nos. 4,757,537 and 4,775,246 to Edel- 35 tion and piece count. A verifier with access to a key matching 
mann et al., as well as U.S. Pat. No. 4,649,266 to Eckert. It the key used for generating the digital token in the digital 
is also known to authenticate a mailpiece by including the mctcr performs digital token validation, i.e., verification thai 
address as a further part of the encryption as described in accounting for the postage value printed in the indicium has 
U.S. Pat. No. 4,725,718 to Sansone et al. and U.S. Pat. No. Deen properly done. 

4,743,747 to Fougere et al. ^ p or security reasons, the keys in each meter are different 

U.S. Pat. No. 5,170,044 to Pastor describes a method and Information about the meter and mailpiece are combined 

apparatus for the representation of binary data in the form of and separately encrypted with vendor and with postal master 

an indicium comprising a binary array of pixels. The actual keys or keys derived therefrom. Portions of the resulting 

arrays of pixels are scanned in order to identify the sender information are printed on the mail piece as digital tokens, 

of the mailpiece and to recover other encrypted and plain 4S The indicium information and the associated digital tokens 

text information. U.S. Pat. No. 5,142,577 to Pastor describes can be verified by a device that processes the information in 

various alternatives to lhe DES algorithm for encrypting a the same manner with the same keys and compares: the 

message and for comparing the decrypted postal information resulting digital tokens with those printed on the mail piece, 

to the plain text information on the mailpiece. It will be appreciated that in order to verify the indicium 

U.K. Patent Application 2,251, 2 10A to Gilham describes 50 information printed on a mailpiece, a verifier must first be 

a meter that contains an electronic calendar to inhibit able to obtain the key used by the particular meter that 

operation of the franking machine on a periodic basis to generated the indicium. In trying to deal with mailing 

ensure that the user conveys accounting information to the systems which may incorporate such encryption systems, it 

postal authorities. U.S. Pat. No. 5,008,827 to Sansone et al. must be recognized that the meter population is large and 

describes a system for updating rates and regulation param- 55 subject to constant fluctuation as meters are added and 

eters at each meter via a communication network between removed from service. If the same key were to be used for 

the meter and a data center. While the meter is on-line status all meters, the key distribution is simple but the system is not 

registers in the meter are checked and an alarm condition secure. Once the code is broken by anyone, the key may be 

raised if an anomaly is detected. U.S. Pat. No. 4,853,961 10 made available to other users and the entire operation is 

Pastor describes critical aspects of using public key cryp- 60 compromised. However, if separate keys are used respec- 

lography for mailing applications. tively for each meter then key management potentially 

U^. Pal. No. 5,390,251 to Pastor et al. describes a system becomes extremely difficult considering the fluctuations in 

for controlling the validity of printing of indicia on mail- such a large population. 

pieces from a potentially large number of users of postage U.S. patent application Ser. No. 08/133,416, filed Oct. 8, 

meters including apparatus disposed in each meter for 65 1993, and assigned to the assignee of the instant application 

generating a code and for printing the code on each mail- describes a key management system for mail processing that 

piece. The code is an encrypted code representative of the assigns one of a set of predetermined keys by a determined 
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relationship to a particular meter, effectively allowing mul- In accordance with the present invention three digital 

tiple meters to share a single key. The key management tokens are used to evidence postage. One token is verified, 

system includes the generation of a first set of keys which as needed, by the Postal Service and a second is verified, as 

are then used for a plurality of respective postage meters. A needed, by the vendor. These first two tokens are the same 

first key of the first set of keys is then related to a specific 5 as set forth in U.S. Pat. No. 5,390,251, previously noted. The 

meter in accordance with a map or algorithm. The first key third token is added for distributed postal verifiers for "real 

may be changed by entering a second key via an encryption time" verification. To simplify key management for the 

using the first key. verifiers, a fixed Master Verifier fixed size Key Set, e.g., 

U.S. patent application Ser. No. 08/414,896, filed Mar. 31, 1000 keys, provides a method to verify indicia without 

1995, and assigned to the assignee of the instant application, 10 distributing data for each meter produced. The fixed key set 

describes a method of token verification in a Key Manage- is used to generate a set of time dependent token keys. These 

meot System. The method provides a logical device identi- token keys are only valid for a limited time period. The 

fier and a master key created in a logical security domain to token key set is signed by the Postal Service and encrypted 

a transaction evidencing device, such as a digital postage with a special purpose distribution key for each verifier 

meter. A master key record is created in a key verification 15 periodically, for example, once per month. The Postal Ser- 

box, and the master key is securely stored as a record in a vice encrypts the token key set with a distribution key to 

Key Management System archive. Evidence of the transac- ensure confidentiality of the token key set. The distribution 

tion information integrity and the master key record from the key is encrypted with a session key that is unique for each 

Key Management System archive are input into a token verifier. The session keys are distributed via an alternate 

verification box. The token verification box determines that 20 channel, for example through physical means. The session 

the master key is valid, uses the master key to verify the keys are updated regularly. The distributed session keys are 

evidence of transaction information integrity, and outputs an updated regularly, and distributed by an alternate channel. A 

indication of the result of the verification of the evidence of secure co-processor for each verifier maintains the confi- 

transaction information integrity. The master key record dentialityof the token key while it is decrypted for verifying 

includes the logical device identifier, the master key and a 25 an indicium. The co-processor must be physically secure to 

digital signature associating the logical device identifier and protect the token keys that have been distributed. If a secure 

the master key. The token verification box checks the digital co-processor of a verifier is compromised, such compromise 

signature to verify the association of the logical device will not provide access to future token keys, 
identifier and the master key within the logical security 

domain. 30 DESCRIPTION OF THE DRAWINGS 

SUMMARY OF THE INVENTION The above and other objects and advantages of the present 

It has been found that distributing master keys of the j nventio ° ^ be apparent upon consideration of the fol- 

digital meters to verifiers may jeopardize the security of the lowm S detaile ^ Ascription, taken in conjunction with 

verification system. The present invention performs verifi- 35 accompanying drawings in which like reference characters 

cation of indicia using time dependent "token keys" that are rcfcr 10 llkc P arls in which: 

valid for a limited time. Thus, the present invention provides FI<3. 1 i s a block diagram of a prior art postage evidencing 

a verification system that includes a verifier that does not aQ d verification system; 

require access to master keys stored in the digital meters to FIG. 2 is a block diagram of a postage evidencing and 

perform verification of indicia. It has been found that the 4 o verification system in which the present invention may be 

present invention improves security of digital meters by performed; 

providing a simplified means for posts to validate indicia in FIG. 3 is a flow chart of the initialization and distribution 

real time and reduces the need to recreate or communicate 0 f a fixed key set of verifier token keys; 

the master keys of the digital meters. It has also been found FIG. 4 is a flow chart of token verification by a verifier; 

that the present invention minimizes the cost of verification 45 „ . , _ , 

by taking advantage of existing postal processes and infra- 5 * a flow ch / rt °[ com P lete by the 

structure. It has further been found that the present invention P 05 ^ evidencing and verification system; 

achieves interoperability of the indicium verification infra- ^p- 6 ^ a block diagram of data proposed for an OCR 

structure with postal processing. An important element of version of a fixed key set indicium in accordance with the 

the verification infrastructure is the cost of maintenance of 5o present invention; and 

a correct, secure and timely correspondence between post- FIG. 7 is a block diagram of data proposed for a bar-code 

age evidencing keys and postage verification keys. version of a fixed key set indicium in accordance with the 

The present invention provides for validation at local or present invention, 
regional post offices. The token key set contains a fixed 

number of encrypted verification token keys that are date 55 
dependent, for example, preferably valid for only one 

month. If the verification token key set is stolen or compro- In describing the present invention, reference is made to 

mised in any way, it is only useful for a limited time, such the drawings, wherein there is seen in FIG. 1 a prior art 

as one month. system, generally designated 10, for verifying cryptographic 

The postal data is read from the indicia. The encrypted, 60 postage evidencing using a fixed key set. The system in 

date dependent token key for the meter is retrieved from the accordance with the present invention comprises a digital 

token key set stored at the verifier. The verifier decrypts the meter 12 interacting with a plurality of different security or 

verification token key and generates a digital verifier token forensic centers: a postal data center 20 and a vendor data 

using the verification token key with the postal data. Finally, center 30. A meter manufacturer 40 manufactures a custom- 

the verifier compares the generated verifier token to the 65 ized digital meter 12 with a meter number 14, a postal master 

verifier token read from the indicia and a pass/fail determi- key 16 and a vendor master key 18. The postal master key 

nation is made to complete the validation process. 16 is stored in a master key database 22 at the postal data 



DETAILED DESCRIPTION OF THE PRESENT 
INVENTION 
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center 20. The vendor master key 18 is stored in a master key 
database 32 at the vendor data center 30. When meter 12 is 
initialized the postal and vendor master keys are used to 
generate in the meter respective postal and vendor token 
keys 24 and 34. 

Preferably, the postal and vendor token keys are date 
dependent, for example, each being valid for only one month 
at which time new token keys must be generated, The postal 
and vendor token keys 24 and 34 are used to generate 
respective unique postal and vendor tokens which are 
encrypted numbers based on postal data uniquely attribut- 
able to the particular meter 12. For a more detailed descrip- 
tion of the generation of digital tokens, see U.S. patent 
application Ser. No. 5,390,251, previously noted. 

The postal token key 24 is used by meter 12 to generate 
a postal digital token which is printed on a mailpiece 55. The 
postal data center 20 verifies the postal token read from 
mailpiece 55 using the postal token key 24 which is gener- 
ated at the postal data center 20 using the postal master key 
16 and postal data read from the indicium of mailpiece 55. 
Likewise, the vendor token key 34 is used by meter 12 to 
generate a vendor digital token which is printed on mail- 
piece 55. The vendor data center 30 verifies the vendor token 
read from mailpiece 55 using the vendor token key 34 which 
is generated at the vendor data center 30 using the vendor 
master key 18 and postal data read from the indicium of 
mailpiece 55. 

Further details of verifying cryptographic postage evi- 
dencing using a fixed key set arc to be found in U.S. 
application Ser. No. 08/133,416, filed Oct. 8, 1993, previ- 
ously noted, 

FIXED KEY SET KEY MANAGEMENT 
SYSTEM 

Referring now to FIG. 2, a system in accordance with the 
present invention is shown for verifying cryptographic post- 
age evidencing using a fixed key set. The system compo- 
nents that are identical to the prior art system shown in FIG. 
1, which are designated with the same reference numerals, 
operate in the manner described above. 

The postal and vendor data centers 20 and 30, wherever 
maintained, are connected electronically, for example by 
telecommunication, with any or all verification centers, also 
referred to herein as verifiers, one of which is indicated here 
at 60. 

The present invention provides a symmetric-key trun- 
cated message authentication code (MAC) based system that 
simplifies key management issues for verifiers. (A 
symmetric-key truncated MAC is also referred to herein as 
a digital token.) Three digital tokens provide postage evi- 
dence to three different authorities: the postal data center 20, 
the vendor data center 30, and the verifiers 60. The main 
difference in the three digital tokens is the key management 
system. The Post verifies one digital token off-line at the 
secure postal data center 20. The vendor secure data center 
30 has the key to validate the second digital token when 
required. These first two digital tokens are similar to those 
described in U.S. Pat. No. 5,390,251, previously noted, and 
currently produced for Personal Post Office digital meters 
manufactured by Pitney Bowes of Stamford, Conn. During 
meter manufacture, the vendor securely generates and 
encrypts the keys used to produce these first two digital 
tokens, and assigns them to each meter. A secure key 
management system stores the keys in signed, encrypted 
records, that include meter serial number and key status. 

As used herein, on-line verification is verification, per- 
formed during the real-time processing of the raailpieces; 
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and off-line verification is verification performed separate 
from the real-time processing of the mailpieces. 

In accordance to the present invention the third, or 
verifier, digital token is for distributed postal verifiers which 

5 perform the only on-line verification. The keys 50 are 
selected from a fixed Verifier Master Key Set 100. Although, 
there is a security trade-off in using a fixed key set, off-line 
verification of postal and vendor digital tokens compensates 
for this trade-off. The present invention provides an advan- 

i° tage over previous methods for verifying indicia integrity 
because verification is achieved without distributing unique 
keys stored in each meter. 

The \fcrificr Master Key Set 100 is not distributed to 
verifiers 60. The distributed keys are from an intermediate 

15 Token Key Set 110, generated at the postal data center 20, 
based on the month and year, using the Verifier Master Key 
Set 100. Token keys are only valid for one month. 

The Token Key Set 110 is securely communicated to the 
verifiers 60. It may be signed by the Postal Service and is 

20 encrypted with a fresh distribution key generated by the 
Postal Service. A verifier specific session key encrypts the 
distribution key. The verifiers securely receive fresh session 
keys through an alternate channel, for example, by physical 
distribution. Like all symmetric-key systems, the verifier 60 

25 requires access to a secret-key of each meter to verify 
indicia. Each meter 12 generates its token keys 52 in an 
intermediate step prior to generating a digital token. The 
verifier 60 retrieves the token key from the Token Key Set 
110. 

In this manner, the present invention protects the Verifier 
Master Key Set 100. If the Token Key Set is compromised, 
thus exposing current token keys, such compromise does not 
provide access to future token keys. Furthermore, this type 

35 of failure can be detected using the vendor and postal digital 
tokens. A physically secure co-processor, for each verifier, 
maintains confidentiality of the decrypted token keys which 
verify indicia. The Token Key Set 110 is always encrypted 
while it is outside the secure co-processor. When presented 

4Q with indicium data, the verifier responds only with a mes- 
sage that the indicium is valid or invalid. The verifier does 
not respond with the valid digital token. 

Compared to a public-key system, there is much less 
cryptographic indicia data with the symmetric-key system of 

45 the present invention. Either an optical character recognition 
(OCR) or a bar code symbology fits the area currently 
allocated for the indicium. If the data is printed in a bar code, 
a large module size can be used, improving readability. Error 
correction improves readability, for example, at PDF417 

5Q security level 3, the indicium has over 25% of the data as 
error correction code, resulting in a robust indicium that is 
easier to print and read. The OCR version allows for 
error-correction code and human back-up of the automated 
scanning process. 

55 Referring now to FIG. 3 a process for the initialization 
and distribution of a fixed key set of verifier token keys is 
shown in accordance with the preferred embodiment of the 
present invention. At step 200, the Manufacturer 40 gener- 
ates a random verifier master key "1000 key" set 100. 

50 At step 210, Manufacturer 40 generates triple DES 
pointer keys. 

At step 220, Manufacturer 40 distributes the verifier 
master key set 100 and pointer keys to the Vendor and Postal 
Data Centers 30 and 20. 
65 At step 230, the Postal Data Center 20 calculates monthly 
token keys for a verifier token key set 110, and encrypts the 
verifier token key set with a distribution key. 
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At step 240, the Postal Da la Center 20 establishes a good solution is to generate a large set of random keys 

session key with each verifier 60 by techniques well known indexed by meter number before manufacturing the meters, 

in the art. The present invention provides an intermediate solution 

At step 250, the Postal Data Center 20 encrypts the using a fixed key set, e.g., one thousand keys, from which 

distribution key with each verifier session key, and, at step * the meter keys are derived. 

260, distributes the token key set and the encrypted distri- The meter generates the postal and vendor digital tokens, 
bution key to each of the verifiers. Steps 230 through 260 are by keys known to the postal data center 20 and vendor data 
repeated each month. center 30, respectively. Distributing these keys to postal 
Referring now to FIG. 4, a process for secure verifiers 60 would require an infrastructure that would be 
co-processor verifier token verification is shown in accor- 10 beyond a desired postal infrastructure, 
dance with the preferred embodiment of the present inven- The verifier digital token is a truncated triple DES MAC. 
tion. Al step 300, the verifier 60 receives indicium data and The verifier 60 selects three DES keys used to generate the 
a meter number 14 read from an indicium being verified. At MAC from the Token Key Set 110. The three pointers used 
step 310, verifier 60 uses the triple DES pointer keys to io select the keys are derived by a cryptographic pseudo- 
obtain pointers related to the meter 12 that printed the 15 random function based on the meter number 14. The meter 
indicium being verified. At step 320, verifier 60 uses the 12 has no information about this function. The meter gen- 
pointers to retrieve the encrypted verifier token keys 34 of erates the verifier token keys using its Verifier Master Keys 
the meter 12 and then decrypts the retrieved keys. At step 50. 

330, verifier 60 regenerates the verifier token 34, and, at step A table of ^ Verifier Master Keys are generated inde- 

340, compares the regenerated verifier token from the indi- 20 peD dently and randomly. The table index is an N bit long 

cium with the verifier token retrieved from the verifier token pointer p. In the preferred embodiment, N=10, which yields 

key set 110. ly 024 Verifier Master Keys. Each meter 12 uses an ordered 

Referring now to FIG. 5, the overall verification process set of three Verifier Master Keys 50, resulting in one billion 

is shown in accordance with the preferred embodiment of ^ different meter key sets. 

the present invention. At step 400, the indicium printed on A soaue co . processor signs and en crypts this set of keys, 

a mailpiece is scanned to obtain indicia data, including a The crjcrvpted key S et is securely shared by the postal data 

verifier token and a meter number included therein. At step cenlef 20> md the vendor data center 30 Access to the 

405, verifier 60 performs verifier token verification as set encrvp ted list is limited to secure co-processors at the 

forth above. If verification is successful, at step 410, the ^ vendor data centef 30 and the postal data center 2 o. The 

mailpiece is verified and the indicia data is sent, at step 415, vendor data ceQter 3Q instaUs keys mt0 mcter n through the 

to the Postal Data Center 20, on a sample basis for off-line manufacturing operation 40. The postal data center 20 uses 

verification. If the verification was not successful, then a lhe Verifier Master Key Sel t0 generale lhe verifier Token 

fraud investigation is performed at step 420. j£ ev § et jjq 

At step 425, the Postal Data Center 20 performs off-line 35 ^ melef u and lfac yerifier 6fJ ^ loken keys t0 

verification of the postal token in the indicia data. If calculate the vermer digital token via a truncated CBC-DES 

successful, then, at step 430, the indicia data is sent to the ( « CBC » ^ c j p her-block-chaimng mode of DES.) 
Vendor Data Center 30 for further off-line verification. If any 

verification is not successful, then a fraud investigation is truncatc(DES(Ki3, Data 3 ©DES(Kt 2 , DatajeDESXKti, DataJ))). 

performed at step 435. ^ 

At step 440, the Vendor Data Center 30 performs off-line ^ © *y***>\ is exclusive-or The three data blocks all 

verification of the vendor token in the indicia data. If contain variable postal data, such as the piece count The 

successful, then, al step 445, the verification process of the truncation operation results in a correct digital token, at least 

mailpiece has been successfully concluded. If the verifica- 10 bits lon 8» ™& verv low Probability that the verifier 

tion was not successful, then a fraud investigation is per- 45 di S ital tokens can be guessed correctly, 

formed at step 450. ^ MANAGEMENT 

The cryptographic strength of the algorithm is as strong as 

multiple DES. Other suitable symmetric key algorithms can A triple-DES algorithm derives pointers from the meter 

be adapted for the purpose of the present invention. The identification number: 

fixed sel of keys simplifies key management for remote 50 des(7C 1( DES(7f 2 , des(7C 3 , meter identification numbd)))- 

postal verifiers. The additional infrastructure required is a (D, p lf p 2J p 3 ). 

secure co-processor for each verifier, generation and distri- The keys 7f are known to secure co-processors located 

bution of a small set of token keys once per month and at the vendor and postal data centers, and at the verification 

provision of a distribution key to each verifier periodically. sites. There may be multiple sets of these keys, based on 

None of these requirements adds significantly to the cost. 55 vendor and meter data. 

The verifiers already need the capability to transfer files for The pointers p, are, for example, each 10 bits long, and D 

the missing meter list, the duplicate detection lists, and for is the remaining, discarded 34 bits. The size of the database 

distribution of public-keys. depends on these numbers. Each Msrifier Master Key K(p,) 

Mailers will continue finishing mail using mailing is an ordered pair of two DES keys, (Ko(p f ), Kjfo)). Each 

machines. The proposed symmetric key system provides 60 meter is initialized with K(pj), K^J, and K(p 3 ) correspond- 

multiple paths of payment assurance through a few digits ing to the meter identification number, 

added to indicia information. The verifier master keys 50, acting on the date 

There are various methods of generating the Verifier (MMYYYY), using triple DES, produce the monthly veri- 

Master Key Set 100. A minimum data solution is to derive ficr token keys: 

the keys based on the meter number through a cryptographic 65 „ nr -^ f v ™~ , ^ , , 

algorithm. IT* meter does no. require this algorimm bui me ***WpA DESO^,), MMYYYY))). 

verifier needs to be able to calculate keys for each meter. A Ktj-DESfK^j), DESCK^J, DES(K</p I ) J MMYYYY))), 
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Ki 3 -DES(Ko(p3), DESQC^X DES(Ko(p 3 ), MMYYYY) ) ). 

These verifier token keys 52 are valid for a selected period 
of time, for example, one month. Given the current verifier 
token keys, the problem of an attacker calculating the 5 
verifier master keys or the verifier token keys for any other 
month is intractable. 

Initialization data in each verifier 60 allows mutual 
authentication with the postal data center 20. This informa- 
tion may be public-key certificates of the verifier 60 and the 10 
postal data center 20. The verifier secure co-processors must 
be securely distributed and managed. Each month, when 
receiving new token keys, the verifier 60 is remotely 
inspected to be sure it is present and not tampered. 

The postal data center 20 generates monthly session keys 15 
for each verifier 60. A monthly distribution key is used to 
provide confidentiality of the Token Key Set U0. The postal 
data center 20 distributes the monthly Token Key Set 110 to 
verifiers 60, encrypted with the monthly distribution key. 
This file has a reasonable size: If the fixed key set 110 2Q 
provides a unique key for each meter number, then the size 
equals the number of meters times 16 bytes per key, and the 
Token Key Set 110 can be distributed by a monthly 
CD-ROM sent to the verifiers 60, or downloaded via the 
network. If the fixed key set 110 contains a few thousand 25 
keys, then its size is a few times 16 kilobytes. It can be 
distributed to the verifiers 60 by a monthly diskette, or 
through a reasonable size downloaded file. 

There is a risk of exposing Verifier Master Keys in this 
system. In order to allow recovery if this happens, the 30 
system needs a method of updating the keys. This requires 
a secure method of installing new keys in each meter 12, and 
a key version number in the indicium so the verifier 60 can 
select the correct key set during an interim period, for 
example, before all new keys are installed. 35 

FIXED KEY SET INDICIA 

The data proposed for the Fixed Key Set indicium is 
oudined above. The only additions are the verifier digital 
token and additional error-correction code. FIG. 6 shows the 40 
data in an OCR version. FIG. 7 illustrates a bar code version. 

The present invention is described in a preferred embodi- 
ment for the verification of postage evidencing printed on a 



mailpiece. It will be understood by those skilled in the art 
that the present invention is suitable for use in verifying any 
physical object which carries information in a visual form. 

While the present invention has been disclosed and 
described with reference to a single embodiment thereof, it 
will be apparent, as noted above, that variations and modi- 
fications may be made therein. It is, thus, intended in the 
following claims to cover each variation and modification 
that falls within the true spirit and scope of the present 
invention. 

PostPerfect™ and Personal Post Office™ are trademarks 
of Pitney Bowes Inc., the assignee of the present invention. 

What is claimed is: 

1. A method of verifying indicia by a verifier, the method 
comprising the steps of: 

obtaining indicium data and a transaction evidencing 

device identification from an item; 
using a pointer algorithm to find pointers; 
retrieving token keys for the transaction evidencing 

device; 

computing a verifier token based on the retrieved token 
key; 

comparing the computed token with the verifier token 
from the indicium data. 

2. The method of claim 1 comprising the further step of: 
investigating for fraud when the computed token is dif- 
ferent from the verifier token. 

3. The method of claim 1 comprising the further steps 
when the computed token is the same as the verifier token: 

verifying a postal token from the indicium data; and 
verifying a vendor token from the indicium data. 

4. The method of claim 1 wherein the step of retrieving 
token keys for the transaction evidencing device includes 
decrypting the token keys. 

5. The method of claim 2 comprising the further step of: 
storing at least one of said master keys into a transaction 

evidencing device. 
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